您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

121 行
4.6KB

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  3. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  4. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  6. <meta name="description" content="Explains how to speed up HTML Purifier through caching or inbound filtering." />
  7. <link rel="stylesheet" type="text/css" href="./style.css" />
  8. <title>Speeding up HTML Purifier - HTML Purifier</title>
  9. </head><body>
  10. <h1 class="subtitled">Speeding up HTML Purifier</h1>
  11. <div class="subtitle">...also known as the HELP ME LIBRARY IS TOO SLOW MY PAGE TAKE TOO LONG page</div>
  12. <div id="filing">Filed under End-User</div>
  13. <div id="index">Return to the <a href="index.html">index</a>.</div>
  14. <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
  15. <p>HTML Purifier is a very powerful library. But with power comes great
  16. responsibility, in the form of longer execution times. Remember, this
  17. library isn't lightly grazing over submitted HTML: it's deconstructing
  18. the whole thing, rigorously checking the parts, and then putting it back
  19. together. </p>
  20. <p>So, if it so turns out that HTML Purifier is kinda too slow for outbound
  21. filtering, you've got a few options: </p>
  22. <h2>Inbound filtering</h2>
  23. <p>Perform filtering of HTML when it's submitted by the user. Since the
  24. user is already submitting something, an extra half a second tacked on
  25. to the load time probably isn't going to be that huge of a problem.
  26. Then, displaying the content is a simple a manner of outputting it
  27. directly from your database/filesystem. The trouble with this method is
  28. that your user loses the original text, and when doing edits, will be
  29. handling the filtered text. While this may be a good thing, especially
  30. if you're using a WYSIWYG editor, it can also result in data-loss if a
  31. user makes a typo. </p>
  32. <p>Example (non-functional):</p>
  33. <pre>&lt;?php
  34. /**
  35. * FORM SUBMISSION PAGE
  36. * display_error($message) : displays nice error page with message
  37. * display_success() : displays a nice success page
  38. * display_form() : displays the HTML submission form
  39. * database_insert($html) : inserts data into database as new row
  40. */
  41. if (!empty($_POST)) {
  42. require_once '/path/to/library/HTMLPurifier.auto.php';
  43. require_once 'HTMLPurifier.func.php';
  44. $dirty_html = isset($_POST['html']) ? $_POST['html'] : false;
  45. if (!$dirty_html) {
  46. display_error('You must write some HTML!');
  47. }
  48. $html = HTMLPurifier($dirty_html);
  49. database_insert($html);
  50. display_success();
  51. // notice that $dirty_html is *not* saved
  52. } else {
  53. display_form();
  54. }
  55. ?&gt;</pre>
  56. <h2>Caching the filtered output</h2>
  57. <p>Accept the submitted text and put it unaltered into the database, but
  58. then also generate a filtered version and stash that in the database.
  59. Serve the filtered version to readers, and the unaltered version to
  60. editors. If need be, you can invalidate the cache and have the cached
  61. filtered version be regenerated on the first page view. Pros? Full data
  62. retention. Cons? It's more complicated, and opens other editors up to
  63. XSS if they are using a WYSIWYG editor (to fix that, they'd have to be
  64. able to get their hands on the *really* original text served in
  65. plaintext mode). </p>
  66. <p>Example (non-functional):</p>
  67. <pre>&lt;?php
  68. /**
  69. * VIEW PAGE
  70. * display_error($message) : displays nice error page with message
  71. * cache_get($id) : retrieves HTML from fast cache (db or file)
  72. * cache_insert($id, $html) : inserts good HTML into cache system
  73. * database_get($id) : retrieves raw HTML from database
  74. */
  75. $id = isset($_GET['id']) ? (int) $_GET['id'] : false;
  76. if (!$id) {
  77. display_error('Must specify ID.');
  78. exit;
  79. }
  80. $html = cache_get($id); // filesystem or database
  81. if ($html === false) {
  82. // cache didn't have the HTML, generate it
  83. $raw_html = database_get($id);
  84. require_once '/path/to/library/HTMLPurifier.auto.php';
  85. require_once 'HTMLPurifier.func.php';
  86. $html = HTMLPurifier($raw_html);
  87. cache_insert($id, $html);
  88. }
  89. echo $html;
  90. ?&gt;</pre>
  91. <h2>Summary</h2>
  92. <p>In short, inbound filtering is the simple option and caching is the
  93. robust option (albeit with bigger storage requirements). </p>
  94. <p>There is a third option, independent of the two we've discussed: profile
  95. and optimize HTMLPurifier yourself. Be sure to report back your results
  96. if you decide to do that! Especially if you port HTML Purifier to C++.
  97. <tt>;-)</tt></p>
  98. </body>
  99. </html>
  100. <!-- vim: et sw=4 sts=4
  101. -->